FIG. 1 is a block diagram of conventional computer network system 100, which shows two different, conventional ways of communicating computer data over a computer network. Computer network system 100 includes wide area network (“WAN”) 102, client A computer 110, client B computer B 120 and server computer 130.
WAN 102 is a conventional wide area network, such as the Internet. WAN 102 is a public network in that access to the network is generally open to the public. WAN 102 preferably includes wireless and wired portions which are preferably integrated at least as seamlessly as technology will allow.
Client A computer 110 is a conventional computer, such as a desktop personal computer that includes standard browser software 114 (e.g., Netscape, Microsoft Internet Explorer). (Note, the names Netscape and Microsoft Internet Explorer may be subject to trademark or service mark rights.) Similarly, Client B computer 120 is a conventional computer, such as a desktop personal computer that includes standard browser software 124 (e.g., Netscape, Microsoft Internet Explorer).
This browser software (including, as necessary, dialer software, modem software, scripting language interpretation software and the like) allows the computers to set up connections NLC (see FIG. 1) over the WAN. Typically, these connections do not allow the computers to receive unsolicited communications, but rather, the computers can receive only communications that they solicit. (See double arrows marked NLC terminating at reference numerals 114 and 124 and definition of “unsolicited-input connection” below in the Specially Defined Terms section of this document.) Through the connection NLC, the computer's browser can specifically request and then receive computer data from other computers that are in data communication with WAN 102. By establishing connection NLC, which does not accept unsolicited data, the computer can communicate over WAN 102 without concern that it will be bombarded with unsecure, unwanted or even harmful computer data (e.g., a virus) because connection NLC will categorically refuse to receive any computer data communications beyond those it has previously requested.
While this type of solicited-input-only connection is favorable from a safety standpoint, the connection is somewhat limited because it cannot accept unsolicited data. For example, browser software 114 of client A computer 110 cannot communicate directly with browser 124 of client B computer system. Each of these browsers communicates data exclusively over solicited-input-only connections NLC. Accordingly, neither browser can listen for or receive such requests, so no computer data ever gets exchanged. If all connections to WAN 102 were solicited-input-only connections, then there would be no data communication whatsoever, over this computer network.
However, some computers have the software necessary to establish unsolicited-input connections LC. For example, server computer 130 is a conventional server computer with a conventional listening connection to WAN 102. Server computer 130 listens for and receives requests for computer data from the browsers of various client computers (e.g., client A computer 110, client B computer 120), and sends back appropriate computer data, via WAN 102, in response to the various requests. For example the requested computer data may be a hypertext mark-up language (“HTML”) code for generating a web page.
Also, server computer 130 can be used to allow the operator of client A computer 110 to communicate with the operator of client B computer 120. For example, if client A computer 110 may communicate with server computer 130 to establish an email account on server 130. In this case, client B computer 120 can use the solicited-input-only connection of its browser software to upload computer data (as email messages and/or attachments), through the unsolicited-input connection of server computer 130, to a storage device (not separately shown) in the server computer. After the computer data is stored and present at the server computer, client A computer can request and receive this computer data through the solicited-input-only connection of its browser software 114. In this way, client A computer and client B computer can communicate their data through the solicited-data-only connections of their respective browsers.
Now, while the server computer has a unsolicited-data-only connection, it is noted that the server computer will not indiscriminately respond to all incoming, unsolicited communications. Rather, the server may implement sophisticated techniques for attempting to sort out the desirable requests to upload and download computer data to the server computer. Firewall software is one example of such a sophisticated technique. It should be borne in mind that WAN 102 is a public network, so a great many parties may accidentally or purposely send communications to server computer 130.
While many of these communications will be well-intended and appropriate communications (e.g., email correspondence), some of the communications will be malformed, misdirected, and/or malicious. For example, a malicious communication may be intended and designed to get server computer 130 to download all of its data to a snoop, hacker or other unauthorized party. Server computer 130 is preferably equipped with software to identify such malicious communications and to prevent any unauthorized transmissions or computer actions.
However, because server 130 is connected to a public network, and because it is very difficult to identify and stop all malicious communications, the security of the standard client-server architecture explained above is limited in the security and data integrity. In recognition of this fact, certainly highly sensitive communications (e.g., communications containing credit card information, communications containing medical information) are not typically communicated using the standard type of browser-driven network communication explained above. One alternative method of network communication, which is more secure, will now be explained with further reference to FIG. 1.
As shown in FIG. 1, client A computer 110 has additionally been equipped with conventional virtual private network (“VPN”) software 112. Similarly, client B computer has been equipped with VPN software 122. This is conventionally accomplished by putting the VPN software on a CD ROM, or other removable storage device, physically bringing the CD ROM to each client computer and copying the VPN software to a permanent storage device (e.g., hard disk drive) present at each computer.
Once the VPN is installed at client A computer 110 and client B computer 120, then these two computers can communicate in a more secure manner. More particularly, most VPN software is structured to accept only authorized communications. For example, many conventional VPN software systems encrypt and decrypt data using algorithms and encryptions keys present in or generated by the VPN software. Additionally, the VPN software may allow a client computer to establish a sort of unsolicited-input connection such that client computers can communicate more directly with each other over a public network. (When the client computers can communicate directly, it may be something of a misnomer to call them “client” computers.)
The VPN software affects a “virtual” private network because the general public will still have access to the telephone lines and other communication links of the WAN. However, the VPN software can structure the data of its communication so that they are harder to access and/or interpret, and so that it is more difficult to send unauthorized data through the VPN software connection. In other words, the VPN software at both ends of the communication makes it difficult for the general public (with WAN access) to cause any mischief with respect to the data communications sent over the WAN under control of the VPN software.
A third type of conventional computer network communication will now be explained with reference to FIG. 2. More particularly, FIG. 2 is a block diagram of network computer system 200 for making network communications by proxy. Computer system 200 includes WAN 202, local area network (“LAN”) 204, LAN server computer 210 and client C computer. Again, WAN is a public network for making network communications over long distances. WAN 202 is preferably the Internet. WAN server computer 230 is a conventional server computer and is similar to server computer 130 discussed above.
LAN server computer 210, LAN 204 and client C computer 220 make up a local area network. The local area network allows LAN server computer 210 and client C computer to mutually communicate computer data. For example, LAN networks are a common architecture for organizing the various computers in a business office. If the LAN is a private network, as LAN's often are, then there is a relatively high degree of security because only personnel with access to the computers in the business office can access the network for unauthorized or destructive reasons.
From a security standpoint, it might not be desirable to connect any portion of the LAN to WAN 202. By connecting the various computers of the LAN to WAN 202, this opens up the potential for unauthorized communications to come in from the world at large. As such, the security level would decrease down toward the level associated with WAN's. However, it is often impractical to categorically prevent the computers of the LAN from receiving computer data from the outside world.
In order to allow computers of a LAN to receive computer data from the outside world (e.g., the Internet) using their browser software, while still providing a sufficiently high level of security, the communication technology of proxy communication has been developed. In the example of FIG. 2, proxy software has been installed on LAN server computer 210 in order to allow proxied computer data communications between client C computer 220 and computers connected to the WAN, such as WAN server computer 230.
Proxied communication technology is conventional and will not be discussed in great detail herein. Generally speaking, proxy software is used to cache information received over a WAN and acts as an intermediary between the WAN and client computers that are in communication with the proxy software (but not otherwise in direct data communication with the WAN). The proxy software holds common and/or recently-used data from the WAN (e.g., WAN server computer 230) for client computers in order to provide quicker access and to increase server security.
Perhaps more importantly, proxy servers can be constructed to allow client computers to send and receive data communications, when there is a firewall interposed between the client computer and the WAN. For example, this kind of proxy software may open a socket on the proxy computer (e.g., LAN server computer 210) and allow data communication with the WAN via the open socket. In this case, the proxy software would allow requests from the browser software of a client computer (e.g., browser software 222 of client C computer 220) to go out over the WAN to their intended destination. Often proxy software involves revising the network address specified within an incoming or outgoing data communication so that the client computer and its browser software may act as if it were directly connected to the WAN and its multitude of various WAN servers (e.g., WAN server computer 230).
To summarize, three conventional ways of making network communications have been described: (1) traditional client-server architecture; (2) VPN communications and (3) proxied communications. As discussed below, the present invention identifies and makes improvements to VPN and/or proxied communication processes and associated software.
One conventional device that is used in making computer network communications is called a router, which is a hardware device that connects and forwards data between two separate networks. Many routers also handle errors and keep statistics about the data communications made over the network. Conventional routers can be implemented as hardware, firmware and/or software. Although conventional router software can be transmitted over a network, the installation of such software typically requires some level of user intervention. For example, a download of conventional router software usually requires either an explicit download instruction or a request to use the software.
Another conventional device that is used in making computer network communications is called a firewall. Firewalls are devices that are used to block and/or filter data. These devices are commonly used with routers as part of a single component.